Listen to this Post
A new malware variant, cleverly disguised as a legitimate WordPress anti-malware plugin, has been discovered posing a significant threat to website security. According to a thorough analysis by the Wordfence Threat Intelligence team, this sophisticated malware allows attackers to gain full administrative control over infected websites.
While initially appearing as a harmless tool, the malware’s real intent is to offer adversaries unrestricted access to target systems, evading detection and maintaining a persistent foothold within the compromised websites. Let’s dive into the details of this complex attack and what it means for WordPress site owners.
the Attack
In January 2025, security experts identified a new type of malware camouflaged as a WordPress anti-malware plugin. This seemingly benign plugin, which appeared legitimate with standard headers and documentation, was found to contain several advanced malicious functions. These include tools for maintaining unauthorized access and evading detection by hiding from WordPress admin dashboards.
The malware introduces a function called “check_special_link,” which lets attackers verify if the plugin is active and running through GET parameters. However, the real danger lies in the “emergency_login_all_admins” function. This feature allows attackers to log in as the first available administrator by sending a GET request with a hardcoded password. This vulnerability is easy to detect in server logs but still allows attackers to take full control of the site.
The malware also abuses the WordPress REST API, which enables attackers to send arbitrary commands. One such command is the ability to clear caches of popular plugins or inject malicious PHP code into the header files of site themes. This enables attackers to carry out a variety of malicious actions, from redirecting users to spam sites to loading additional harmful scripts.
To ensure long-term persistence, the malware hides itself from plugin listings and modifies the “wp-cron.php” file, which allows the attacker to reinstall the malware automatically if it is removed. This stealthy method ensures the attacker’s backdoor remains open.
The malware is evolving rapidly, with newer variants incorporating communication with a Command & Control (C&C) server based in Cyprus. This server tracks infected sites, sending and receiving data from compromised websites every minute. The malware also includes the ability to inject obfuscated JavaScript ads into targeted websites, expanding its reach and profitability.
While the initial infection vector remains under investigation, early evidence points to compromised hosting environments or stolen FTP credentials. Wordfence responded quickly, deploying detection signatures for premium users and planning broader security measures for all users by May 2025. The incident highlights the growing complexity of cyber threats targeting WordPress websites, where attackers use increasingly sophisticated tactics to gain control.
What Undercode Say:
The discovery of this new malware variant is a reminder of the sophistication of modern cyber threats. The attackers have demonstrated an advanced understanding of WordPress’ inner workings, utilizing common techniques such as manipulating core files and leveraging WordPress’ own API for malicious purposes. The method of hiding the malware from site administrators and ensuring persistence by modifying “wp-cron.php” is particularly alarming. By doing so, the malware circumvents the typical ways administrators might try to remove it, keeping attackers in control even if the plugin is deleted from the site.
The use of the WordPress REST API in this attack is noteworthy. This API is intended to allow legitimate applications to interact with WordPress sites, but attackers have found a way to abuse it for malicious purposes. This raises concerns about the security of all WordPress REST endpoints, even those that are not directly linked to a plugin.
The ability for attackers to inject arbitrary PHP code into theme header files is another dangerous feature of this malware. It highlights the importance of not only securing plugins but also keeping an eye on theme files, as they can easily be manipulated to introduce additional vulnerabilities or unwanted content.
One of the most concerning aspects is the
Moreover, the malware’s ability to inject obfuscated JavaScript ads further demonstrates the monetization aspect of the campaign. By using base64 encoding to hide malicious URLs, the attackers can easily update their payloads, making it difficult for traditional security tools to detect them.
What stands out is how quickly Wordfence acted to deploy protective measures for their premium users. They responded within days of discovering the threat, which is crucial in limiting the damage. However, the delay in rolling out protections for free users highlights the need for faster, more immediate responses to emerging threats across all user tiers. It also reinforces the necessity of using advanced security solutions that can detect and respond to such threats in real-time.
Fact Checker Results:
- Infection Method: The exact method of initial infection is still under investigation, but compromised hosting or stolen FTP credentials appear to be likely vectors.
- Malware Behavior: The malware uses legitimate WordPress features like the REST API and wp-cron.php file for malicious purposes, making it difficult to detect through traditional means.
- Response: Wordfence quickly deployed detection signatures and firewall rules to mitigate the attack, but full coverage will be available to all users by May 2025.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
